For an app all about spilling the beans on who you’re allegedly courting, it’s ironic that TeaOnHer was spilling the private info of 1000’s of its customers to the open net.
TeaOnHer was designed for males to share images and details about girls they declare to have been courting. However very similar to Tea, the dating-gossip app for girls it was making an attempt to duplicate, TeaOnHer had gaping holes in its safety that uncovered its customers’ private info, together with images of their driver’s licenses and different government-issued id paperwork, as TechCrunch reported final week.
These gated community-like apps have been created ostensibly to let customers share details about their relationships underneath the guise of private security. Nevertheless, shoddy coding and safety flaws spotlight the continuing privateness dangers inherent in requiring customers to submit delicate info to make use of apps and web sites.
Such dangers are solely going to worsen; widespread apps and net companies are already having to adjust to age verification legal guidelines that require individuals to submit their id paperwork earlier than they are often granted entry to adult-themed content material, regardless of the privateness and safety dangers related to storing databases of individuals’s private info.
When TechCrunch printed our story final week, we didn’t publish particular particulars of the bugs we found in TeaOnHer, erring on the aspect of warning in order to not assist unhealthy actors exploit the bug. As an alternative, we determined to publish a restricted disclosure, due to the app’s rising recognition and the speedy dangers that customers confronted when utilizing the app.
As of the time of disclosure, TeaOnHer was #2 within the free app charts on the Apple App Retailer, a place nonetheless held by the app in the present day.
The issues we discovered seem like resolved. TechCrunch can now share how we have been capable of finding customers’ driver’s licenses inside 10 minutes of being despatched a hyperlink to the app within the App Retailer, because of straightforward to search out flaws within the app’s public-facing backend system, or API.
The app’s developer, Xavier Lampkin, didn’t reply to a number of requests for remark after we submitted particulars of the safety flaws, nor would Lampkin decide to notifying affected TeaOnHer customers or state regulators of the safety lapse.
We additionally requested Lampkin if any safety evaluations have been carried out earlier than the TeaOnHer app was launched, however we acquired no reply. (Now we have extra on disclosure in a while.)
Alright, begin the clock.
TeaOnHer uncovered ‘admin panel’ credentials
Earlier than we even downloaded the app, we first needed to search out out the place TeaOnHer was hosted on the web by taking a look at its public-facing infrastructure, similar to its web site and something hosted on its area.
That is normally a very good place to begin because it helps perceive what different companies the area is linked to on the web.
To search out the area identify, we first seemed (by likelihood) on the app’s itemizing on the Apple App Retailer to search out the app’s web site. This could normally be present in its privateness coverage, which apps should embody earlier than Apple will checklist them. (The app itemizing additionally claims the developer “doesn’t gather any knowledge from this app,” which is demonstrably false, so take that as you’ll.)
TeaOnHer’s privateness coverage was within the type of a broadcast Google Doc, which included an e mail tackle with a teaonher.com area, however no web site.
The web site wasn’t public on the time, so with no web site loading, we seemed on the area’s public-facing DNS information, which can assist to establish what else is hosted on the area, similar to the kind of e mail servers or hosting. We additionally needed to search for any public subdomains that the developer may use to host performance for the app (or host different assets that ought to most likely not be public), similar to admin dashboards, databases, or different web-facing companies.
However once we seemed on the TeaOnHer’s public web information, it had no significant info aside from a single subdomain, appserver.teaonher.com.
Once we opened this web page in our browser, what loaded was the touchdown web page for TeaOnHer’s API (for the curious, we uploaded a replica right here). An API merely permits issues on the web to speak with one another, similar to linking an app to its central database.
It was on this touchdown web page that we discovered the uncovered e mail tackle and plaintext password (which wasn’t that far off “password”) for Lampkin’s account to entry the TeaOnHer “admin panel.”
The API web page confirmed that the admin panel, used for the doc verification system and consumer administration, was positioned at “localhost,” which merely refers back to the bodily pc working the server and will not have been straight accessible from the web. It’s unclear if anybody may have used the credentials to entry the admin panel, however this was in itself a sufficiently alarming discovering.
At this level, we have been solely about two minutes in.
In any other case, the API touchdown web page didn’t do a lot aside from supply some indication as to what the API can do. The web page listed a number of API endpoints, which the app must entry so as to operate, similar to retrieving consumer information from TeaOnHer’s database, for customers to go away evaluations, and sending notifications.
With information of those endpoints, it may be simpler to work together with the API straight, as if we have been imitating the app itself. Each API is completely different, so studying how an API works and the best way to talk with one can take time to determine, similar to which endpoints to make use of and the parameters wanted to successfully converse its language. Apps like Postman could be useful for accessing and interacting straight with APIs, however this requires time and a sure diploma of trial and error (and persistence) to make APIs spit out knowledge once they shouldn’t.
However on this case, there was an excellent simpler approach.
TeaOnHer API allowed unauthenticated entry to consumer knowledge
This API touchdown web page included an endpoint referred to as /docs, which contained the API’s auto-generated documentation (powered by a product referred to as Swagger UI) that contained the total checklist of instructions that may be carried out on the API.
This documentation web page was successfully a grasp sheet of all of the actions you possibly can carry out on the TeaOnHer API as a daily app consumer, and extra importantly, because the app’s administrator, similar to creating new customers, verifying customers’ id paperwork, moderating feedback, and extra.
The API documentation additionally featured the flexibility to question the TeaOnHer API and return consumer knowledge, basically letting us retrieve knowledge from the app’s backend server and show it in our browser.
Whereas it’s not unusual for builders to publish their API documentation, the issue right here was that some API requests might be made with none authentication — no passwords or credentials have been wanted to return info from the TeaOnHer database. In different phrases, you would run instructions on the API to entry customers’ personal knowledge that ought to not have been accessible to a consumer of the app, not to mention anybody on the web.
All of this was conveniently and publicly documented for anybody to see.
Requesting a listing of customers presently within the TeaOnHer id verification queue, for instance — not more than urgent a button on the API web page, nothing fancy right here — would return dozens of account information on individuals who had just lately signed as much as TeaOnHer.
The information returned from TeaOnHer’s server contained customers’ distinctive identifiers inside the app (basically a string of random letters and numbers), their public profile display screen identify, and self-reported age and placement, together with their personal e mail tackle. The information additionally included net tackle hyperlinks containing images of the customers’ driver’s licenses and corresponding selfies.
Worse, these images of driver’s licenses, government-issued IDs, and selfies have been saved in an Amazon-hosted S3 cloud server set as publicly accessible to anybody with their net addresses. This public setting lets anybody with a hyperlink to somebody’s id paperwork open the recordsdata from anyplace with no restrictions.
With that distinctive consumer identifier, we may additionally use the API web page to straight search for particular person customers’ information, which might return their account knowledge and any of their related id paperwork. With uninhibited entry to the API, a malicious consumer may have scraped big quantities of consumer knowledge from the app, very similar to what occurred with the Tea app to start with.
From bean to cup, that was about 10 minutes, and we hadn’t even logged-in to the app but. The bugs have been really easy to search out that it might be sheer luck if no person malicious discovered them earlier than we did.
We requested, however Lampkin wouldn’t say if he has the technical skill, similar to logs, to find out if anybody had used (or misused) the API at any time to realize entry to customers’ verification paperwork, similar to by scraping net addresses from the API.
Within the days since our report back to Lampkin, the API touchdown web page has been taken down, together with its documentation web page, and it now shows solely the state of the server that the TeaOnHer API is working on as “wholesome.” At the very least on cursory exams, the API now seems to depend on authentication, and the earlier calls made utilizing the API now not work.
The net addresses containing customers’ uploaded id paperwork have additionally been restricted from public view.
TeaOnHer developer dismissed efforts to reveal flaws
Provided that TeaOnHer had no official web site on the time of our findings, TechCrunch contacted the e-mail tackle listed on the privateness coverage in an effort to reveal the safety lapses.
However the e mail bounced again with an error saying the e-mail tackle couldn’t be discovered. We additionally tried contacting Lampkin by way of the e-mail tackle on his web site, Newville Media, however our e mail bounced again with the identical error message.
TechCrunch reached Lampkin by way of LinkedIn message, asking him to offer an e mail tackle the place we may ship particulars of the safety flaws. Lampkin responded with a basic “assist” e mail tackle in response.
When TechCrunch discloses a safety flaw, we attain out to substantiate first that an individual or firm is the right recipient. In any other case, blindly sending particulars of a safety bug to the incorrect individual may create a danger. Earlier than sharing particular particulars of the failings, we requested the recipient of the “assist” e mail tackle if this was the right tackle to reveal a safety publicity involving TeaOnHer consumer knowledge.
“You will need to have us confused with ‘the Tea app’,” Lampkin replied by e mail. (We hadn’t.) “We don’t have a safety breach or knowledge leak,” he stated. (It did.) “Now we have some bots at most however we haven’t scaled large enough to be in that dialog but, sorry you have been misinformed.” (We weren’t)
Glad that we had established contact with the right individual (albeit not with the response we obtained), TechCrunch shared particulars of the safety flaws, in addition to a number of hyperlinks to uncovered driver’s licenses, and a replica of Lampkin’s personal knowledge to underscore the severity of the safety points.
“Thanks for this info. That is very regarding. We’re going to soar on this proper now,” stated Lampkin.
Regardless of a number of follow-up emails, now we have not heard from Lampkin since we disclosed the safety flaws.
It doesn’t matter should you’re a one-person software program store or a billionaire vibe coding by way of a weekend: Builders nonetheless have a accountability to maintain their customers’ knowledge protected. For those who can’t preserve your customers’ personal knowledge protected, don’t construct it to start with.
If in case you have proof of a well-liked app or service leaking or exposing info, get in contact. You’ll be able to securely contact this reporter by way of encrypted message at zackwhittaker.1337 on Sign.
